CVE-2019-1425 — Visual Studio Elevation of Privilege Vulnerability
Executive Summary
An elevation of privilege vulnerability exists when Visual Studio fails to properly validate hardlinks while extracting archived files. An attacker who successfully exploited this vulnerability could overwrite arbitrary files in the security context of the local system. To exploit this vulnerability, an attacker would need to trick an elevated user into downloading a malicious package, either by getting them to open a malicious project or convincing them to add a malicious package to an existing project. The vulnerabilities were introduced by NPM packages used by Visual Studio and subsequently addressed via the following two NPM advisories: Arbitrary File Overwrite - tar Arbitrary File Overwrite - fstream The update addresses the vulnerability by updating the NPM packages, which corrects how Visual Studio validates hardlinks during extraction of file archives.
Overview
EPSS Score
Affected Products
| Product | KB Article | Severity | Impact | Restart Required |
|---|---|---|---|---|
| Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) | Release Notes (Security Update) |
Important | Elevation of Privilege | Maybe |
| Microsoft Visual Studio 2019 version 16.0 | Release Notes (Security Update) |
Important | Elevation of Privilege | Maybe |
| Microsoft Visual Studio 2019 version 16.3 | Release Notes (Security Update) |
Important | Elevation of Privilege | Maybe |
Patches
| Article | Type | Restart |
|---|---|---|
Release Notes |
Security Update | Maybe |
Known Exploits
Acknowledgments
Microsoft has not published researcher acknowledgments for this CVE, or they are not yet reflected in our data source. Check the MSRC advisory directly for the most current credit information.